To print this article, all you need is to be registered or login on Mondaq.com.
On July 18, 2023, the Biden Administration announced the launch of the long-awaited
cybersecurity labeling program, called the “U.S. Cyber Trust
Mark,” aimed at providing consumers with a better
understanding of the cybersecurity of the products they use daily.
This labeling program seeks to enhance transparency and competition
in the Internet of Things (“IoT”) device space, to
“help differentiate trustworthy products in the
marketplace,” and to incentivize manufacturers to meet higher
The U.S. Cyber Trust Mark was proposed by Federal Communications
Commission (“FCC”) Chairwoman Jessica Rosenworcel and is
the first of its kind in the cybersecurity sector. This labeling
program is modeled similar to the Energy Star program, which was
created to “bring attention to energy-efficient appliances and
encourage more companies to produce them in the
According to the FCC’s press release, it is estimated that there were
“more than 1.5 billion attacks against IoT devices in the
first six months of 2021 alone” and by the year 2030,
“more than 25 billion connected IoT devices [will be] in
operation.” This program was introduced in response to these
constantly evolving cyber threats impacting IoT products and builds
upon existing public and private sector initiatives aimed to
enhance IoT cybersecurity and labeling practices.
Development of the Cybersecurity Labeling Program
On May 12, 2021, President Biden issued Executive Order
(“EO”) 14028, Improving the Nation’s
Cybersecurity, which, among other things, charged the
National Institute of Standards and Technology (“NIST”)
to recommend requirements for a consumer IoT cybersecurity labeling
program. In response to this directive, NIST developed a profile of
the IoT core baseline for consumer IoT products, presented in the
NISTIR 8259 Series and NISTIR 8425. This profile was used as part of
the recommendations that NIST published in February 2022 in
response to the EO directive, titled Recommended Criteria for Cybersecurity
Labeling for Consumer IoT Products.
NIST’s efforts served to identify key elements of potential
labeling programs in terms of recommending minimum requirements and
specifying desirable outcomes. The FCC used these key elements to
launch the U.S. Cyber Trust Mark labeling program, acting under its
authorities to regulate wireless communication devices.
The U.S. Cyber Trust Mark
The U.S. Cyber Trust Mark will appear on the packaging of
eligible devices and will be comprised of two parts:
- The logo depicting a shield and the words “U.S. Cyber
Trust Mark”; and
- A QR code that can be scanned to continuously verify the
security of the device.
The QR code will link users to a national registry of certified
devices, which will provide “specific and comparable security
information about these smart products” as the cybersecurity
threat landscape evolves over time. The FCC has released its
proposed U.S. Cyber Trust Mark logo in five colorways, although it
is presently unclear whether these colorways are attributed to
varying levels of device security.
The U.S. Cyber Trust Mark Notice of Proposed Rulemaking
Currently, the Cyber Trust Mark program is described in a Notice
of Proposed Rulemaking (“NPRM”), established under the
FCC’s authority to regulate wireless communication devices. The
draft proposal outlines this voluntary labeling program and, if
adopted, the FCC will open a public comment period on the
During the public comment period, the FCC will seek input on
several issues, including, how to best establish this program, the
scope of devices for sale in the U.S. that should be eligible for
inclusion in the labeling program, how the program should be
managed, how to further develop security standards that could apply
to various devices, how to demonstrate compliance with the
standards, and how to best educate consumers about the labeling
While this program is still in its preliminary stages, the FCC
anticipates that this program could be implemented by late 2024.
Once implemented, the Cybersecurity and Infrastructure Security
Agency (“CISA”) will work with the FCC to encourage major
U.S. retailers to prioritize products bearing U.S. Cyber Trust Mark
Label in the marketplace.
Future Developments in Cybersecurity Labeling
According to the announcement, consumers and manufacturers can
expect to see similar initiatives rolled out by other Federal
agencies in the coming years:
- NIST will focus on defining cybersecurity requirements for
consumer-grade routers, which are recognized as a higher-risk
product, if compromised. NIST is slated to finalize these
requirements by the end of 2023 and the FCC will review and
consider these requirements to expand the cybersecurity labeling
program to cover these routers.
- The U.S. Department of Energy plans to collaborate with
National Labs to develop labeling requirements targeted toward
smart meters and power inverters, which it recognizes as essential
components to the smart grid of the future.
- The U.S. Department of State will support the FCC by engaging
with international partners to harmonize standards and labeling
As the U.S. Cyber Trust Mark initiative develops, Sheppard
Mullin’s Governmental Practice Cybersecurity Team will continue to track
program updates, as well as other developments relating to the
Cybersecurity Executive Order.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Technology from United States